[SUMMARY] ftp server with least vulnerability for Solaris

From: Manesh, Nasser <Nasser.Manesh_at_penske.com>
Date: Thu May 17 2001 - 09:19:38 EDT
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Thanks a lot to Allan West, Mike Salehi, Buddy Lumpkin, Casey Jones,
Blaine Owens, Kevin Riechhart, Doug Palmer, Andrew Caines, Paul
Yoshimune, Mark Luntze, Julian Simpson, and Bill "Elvis" Gibs for
the responses...  Andrew sent me the most thorough response that I
have included at the end.

As far as I found out it's more of a matter of taste and personal
preference on what to use as a "secure" ftp server.  I did not get
and did not found any comparison reports or technical reviews. 
Basically, four choice were discussed: wu-ftpd, proftpd, ncftpd, and
the bundled in.ftpd that ships with Solaris.

Wu-ftpd has the worst history of vulnerabilities, but on the flip
side is the most widely used because of its flexibility and
features.  So there's an argument that it's not neccessary a matter
of poor security - more vulnerabilities found just because more
people used it.

Proftpd - http://www.proftpd.net - seems to have a good reputation,
good security, and easy configuration specially if you're familiar
with Apache.

Ncftpd - http://www.ncftp.com - is designed with high performance
and security in mind, but it's not free, although the license fee is
minimal.  In fact, about half of the people who replied recommended

In.ftpd (I had only one recommendation on this) is good enough in
security, but featurewise is limited.

So all in all, personally I still do not have a clear answer.  I'm
still open to any comments - specially technical reviews.

Thanks.  You'll find the original post quoted in Andrew's response.


============  Andrew's response ===========


> Any links/reviews/recommendations about which ftp server software to use on
> Solaris when security is priority number one?

Security is not independednt of functionality. If you want advanced
features like virtual hosting, configurable logging and so on, then
will need a more fully featured server.

By past history, Sun's default FTP server has a good track record.
It is
minimal in terms of functionality, which of course reduces its

However, there is currently an unresolved issue with Solaris'
relating to its globbing handling. AFAIK, it is not yet exploitable.

You will want to run it with TCP Wrapper of course.

ProFTPD <http://www.ProFTPD.org/> has good reputation as a very
and configurable server. It has some useful functions such as the
to chroot itself.

The well-known wu-ftpd has a disasterous security history.

> I'm looking for an ftp server with the least possible vulnerability

My crystal ball is in for repair at the moment. You may like to look
past advisories on different FTP servers on either the SecurityFocus
<http://search.securityfocus.com/search.html> or the ISS X-Force

As a side note, if you offer downloads as well as uploads, you may
want to
consider using HTTP instead of FTP.


Content-Type: text/x-vcard; charset=us-ascii;
Content-Transfer-Encoding: 7bit
Content-Description: Card for Manesh, Nasser (CAP, PTL)
Content-Disposition: attachment;

n:Manesh;Nasser K.
tel;fax:(610) 796-4387
tel;work:(610) 796-6527
org:Penske Truck Leasing;MIS Technology Services
title:UNIX System Administrator, Webmaster
adr;quoted-printable:;;Rt 10 Green Hills=0D=0AP.O. Box 563;Reading;PA;19603-0563;United States
fn:Nasser K. Manesh

Received on Thu May 17 14:19:38 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:55 EDT